Hi Steve, Thanks for replying promptly. I have fixed this issue by replacing the following jars in guvnor.war. I debugged the guvnor code and found out that username is null in org.jboss.seam.security.IdentityImpl..activeAuthenticator. This is a JAAS Authenticator in which user is coming null. I found it out in IdentityImpl.postAuthenticate() method. 1. seam-security-3.1.0.Final.jar with seam-security-3.2.0.Final.jar and 2. seam-security-api-3.1.0.Final.jar with seam-security-api-3.2.0.Final.jar It worked with all the below configurations. I have created a number of users and they are getting authenticated. But, all the users are logged in with admin rights. I have two users which have "package.developer" rights but still those users can update any process in other packages. Even those users can update their own user permissions. Regards, Zahid Ahmed From: rules-users-bounces(a)lists.jboss.org [mailto:rules-users-bounces@lists.jboss.org] On Behalf Of Stephen Masters Sent: 15 May 2013 13:01 To: Rules Users List Subject: Re: [rules-users] Error : JAAS Authentication with Guvnor 5.5.0 and Authorization Error I think you may have hit this bug: https://issues.jboss.org/browse/GUVNOR-1976 I think it might be a duplicate of another, which I cant find. At root that was a Seam JAAS bug (5.5 introduced Guvnor to Seam 3), which prevented it from creating a security context. I'm not sure whether any solution was established though. Steve On 15 May 2013, at 09:27, Zahid Ahmed <zahid.ahmed@emirates.com<mailto:zahid.ahmed@emirates.com>> wrote: Hi, I have run into a set of errors configuring JAAS Authentication for Guvnor. I have searched a lot on jboss community and for all the solutions nothing is working for me. I am getting either the login popup or I am getting "This User has no permissions setup". The Guvnor Manual is referring to jboss eap 5 and I am trying to do this on Jboss AS 7.1. Note : I am unable to find login-config.xml file mentioned in the following link.http://docs.jboss.org/drools/release/5.5.0.Final/drools-guvnor-docs/... . Is guvnor deployment targeted only for JBOSS EAP 5.0 ? Environment: 1. Guvnor 5.5.0.Final 2. JBOSS AS 7.1.0 Files Configured (Only these files I configured): 1. Standalone.xml 2. Guvnor.war/WEB-INF/beans.xml 3. Created users using "add-user.sh" 4. standalone/configuration/application-users.properties (attached). 5. standalone/configuration/application-roles.properties (attached) 6. standalone/configuration/management-users.properties Configurations Standalone.xml : Only configured below tags. There's nothing else I changed for the purpose of JAAS Authentication and Guvnor Authorization. Added <security-domain name="drools-guvnor" cache-type="default"> to check if "other" is not working. <security-domain name="other" cache-type="default"> <authentication> <login-module code="Remoting" flag="optional"> <module-option name="password-stacking" value="useFirstPass"/> </login-module> <login-module code="RealmUsersRoles" flag="required"> <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/> <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/> <module-option name="realm" value="ApplicationRealm"/> <module-option name="password-stacking" value="useFirstPass"/> </login-module> </authentication> </security-domain> <security-domain name="drools-guvnor" cache-type="default"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"> <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/> <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/> <module-option name="realm" value="ApplicationRealm"/> <module-option name="password-stacking" value="useFirstPass"/> </login-module> </authentication> </security-domain> Drools-guvnor.war. 1. beans.xml (Tried 4 different configs as suggested on community) a. Config 1 (Attached "Config1 beans.xml" and Config1 error.txt) . Error "This User has no permission setup". <security:IdentityImpl> <s:modifies/> <!-- JAAS based authentication --> <security:authenticatorName>jaasAuthenticator</security:authenticatorName> </security:IdentityImpl> <security:jaas.JaasAuthenticator> <s:modifies/> <jaasConfigName>other</jaasConfigName> </security:jaas.JaasAuthenticator> <!-- SECURITY AUTHORIZATION CONFIGURATION --> <!-- This is used to enable or disable role-based authorization. By default it is disabled. --> <guvnorSecurity:RoleBasedPermissionResolver> <s:modifies/> <guvnorSecurity:enableRoleBasedAuthorization>true</guvnorSecurity:enableRoleBasedAuthorization> </guvnorSecurity:RoleBasedPermissionResolver> b. Config 2 (Attached "Config2 beans.xml" and Config2 error.txt). Error "This User has no permission setup". <security:IdentityImpl> <s:modifies/> <!-- JAAS based authentication --> <security:authenticatorName>jaasAuthenticator</security:authenticatorName> </security:IdentityImpl> <security:jaas.JaasAuthenticator> <s:modifies/> <security:jaasConfigName>drools-guvnor</security:jaasConfigName> </security:jaas.JaasAuthenticator> <!-- SECURITY AUTHORIZATION CONFIGURATION --> <!-- This is used to enable or disable role-based authorization. By default it is disabled. --> <guvnorSecurity:RoleBasedPermissionResolver> <s:modifies/> <guvnorSecurity:enableRoleBasedAuthorization>true</guvnorSecurity:enableRoleBasedAuthorization> </guvnorSecurity:RoleBasedPermissionResolver> c. Config 3 (Attached "Config3 beans.xml" and Config1 error.txt). Error (Same error as of Config 1) "This User has no permission setup". <security:IdentityImpl> <s:modifies/> <!-- JAAS based authentication --> <security:authenticatorName>jaasAuthenticator</security:authenticatorName> </security:IdentityImpl> <security:jaas.JaasAuthenticator> <s:modifies/> <jaasConfigName>other</jaasConfigName> </security:jaas.JaasAuthenticator> <guvnorSecurity:RoleBasedPermissionResolver> <s:modifies/> <guvnorSecurity:enableRoleBasedAuthorization>true</guvnorSecurity:enableRoleBasedAuthorization> </guvnorSecurity:RoleBasedPermissionResolver> <component name="org.jboss.seam.security.roleBasedPermissionResolver"> <s:modifies/> <property name="enableRoleBasedAuthorization">true</property> </component> I HAVE ALSO ADDED THIS COMPONENT TAG found every where on forums to resolve this issue. I tried Tried without this also but at that time I get LOGIN screen which always says Incorrect User/Password.Is this required or <guvnorSecurity:RoleBasedPermissionResolver> is the only authorization config. <component name="org.jboss.seam.security.roleBasedPermissionResolver">; <s:modifies/> <property name="enableRoleBasedAuthorization">true</property> </component> Kindly help me in this configuration. I can't find a single authentic document for my environment. Regards, Zahid <standalone.xml><Guvnor User Permission tab.png><application-roles.properties><application-users.properties><mgmt-users.properties><Config1 beans.xml><Config1 error.txt><Config2 beans.xml><Config2 error.txt><Config3 beans.xml><Config3 error.txt>_______________________________________________ rules-users mailing list rules-users@lists.jboss.org<mailto:rules-users@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/rules-users

I think there is another JIRA (that is closed for 5.6.x) that fixed the same problem. Any help cross-referencing and closing duplicates appreciated :) On 15 May 2013 13:49, Stephen Masters <stephen.masters(a)me.com&gt; wrote:

Hi, I still have two problems related to the said issue. One is for the proper config and one is related to Role based Authorization in guvnor. Kindly suggest a solution in this regard, 1. After user is authenticated, I want to limit access of users i.e "Developer A" has "package.developer" access on packageA and "package.readonly" access on rest of the packages. For this I have created user permissions in Guvnor's "Administration Tab". But, after login as "DeveloperA", DeveloperA is able modify PackageA assets and also it can modify and save assets of other packages for which he has only readonly access. So kindly advise, what configuration I might have missed to setup the RoleBasedAuthorization. In my original post I have attached the screenshot of guvnor user permissions tab. 2. Second concern is that which out of the below configs must be used for JAAS configuration, the seam config or the guvnor one. Currently my configs are working with SEAM Security. But the real twist is that beans.xml has only "<guvnorSecurity:RoleBasedPermissionResolver>". And I had to add the seam security component after getting some info from the online community. So which one out of these is required for Role Based Permissions on guvnor (Which actually isn't working. Everyone is AUTHORIZED to access anything out of their role). <!-Guvnor Security Role Based Permissions --> <guvnorSecurity:RoleBasedPermissionResolver> <s:modifies/> <guvnorSecurity:enableRoleBasedAuthorization>true</guvnorSecurity:enableRoleBasedAuthorization> </guvnorSecurity:RoleBasedPermissionResolver> <!-SEAM Security RoleBasedPermissionResolver --> <component name="org.jboss.seam.security.roleBasedPermissionResolver"> <s:modifies/> <property name="enableRoleBasedAuthorization">true</property> </component> From: rules-users-bounces(a)lists.jboss.org [mailto:rules-users-bounces@lists.jboss.org] On Behalf Of Stephen Masters Sent: 15 May 2013 18:10 To: Rules Users List Subject: Re: [rules-users] Error : JAAS Authentication with Guvnor 5.5.0 and Authorization Error I have just added a bit of cross referencing. As Mike mentions, I'm sure there was a Guvnor bug raised, which was flagged as fixed. However, I can't find it linked off the Seam bug, and I can't find it through a bit of keyword searching in Jira. btw ... I thought my English was reasonable, but I can't for the life of me work out what the difference is between "relates to" and "is related to" when linking 2 issues. Feel free to correct the link I created. On 15 May 2013, at 13:56, Michael Anstis <michael.anstis@gmail.com<mailto:michael.anstis@gmail.com>> wrote: I think there is another JIRA (that is closed for 5.6.x) that fixed the same problem. Any help cross-referencing and closing duplicates appreciated :) On 15 May 2013 13:49, Stephen Masters <stephen.masters@me.com<mailto:stephen.masters@me.com>> wrote: That's great news. Sounds like a simple enough workaround. If you have an account on there, it would probably be a good idea to write the workaround into a comment on the Jira issue, so that future victims are able to fix their build quickly. Steve On 15 May 2013, at 13:28, Zahid Ahmed <zahid.ahmed@emirates.com<mailto:zahid.ahmed@emirates.com>> wrote: Hi Steve, Thanks for replying promptly. I have fixed this issue by replacing the following jars in guvnor.war. I debugged the guvnor code and found out that username is null in org.jboss.seam.security.IdentityImpl..activeAuthenticator. This is a JAAS Authenticator in which user is coming null. I found it out in IdentityImpl.postAuthenticate() method. 1. seam-security-3.1.0.Final.jar with seam-security-3.2.0.Final.jar and 2. seam-security-api-3.1.0.Final.jar with seam-security-api-3.2.0.Final.jar It worked with all the below configurations. I have created a number of users and they are getting authenticated. But, all the users are logged in with admin rights. I have two users which have "package.developer" rights but still those users can update any process in other packages. Even those users can update their own user permissions. Regards, Zahid Ahmed From: rules-users-bounces@lists.jboss.org<mailto:rules-users-bounces@lists.jboss.org> [mailto:rules-<mailto:rules->users-bounces@lists.jboss.org<mailto:users-bounces@lists.jboss.org>] On Behalf Of Stephen Masters Sent: 15 May 2013 13:01 To: Rules Users List Subject: Re: [rules-users] Error : JAAS Authentication with Guvnor 5.5.0 and Authorization Error I think you may have hit this bug: https://issues.jboss.org/browse/GUVNOR-1976 I think it might be a duplicate of another, which I cant find. At root that was a Seam JAAS bug (5.5 introduced Guvnor to Seam 3), which prevented it from creating a security context. I'm not sure whether any solution was established though. Steve On 15 May 2013, at 09:27, Zahid Ahmed <zahid.ahmed@emirates.com<mailto:zahid.ahmed@emirates.com>> wrote: Hi, I have run into a set of errors configuring JAAS Authentication for Guvnor. I have searched a lot on jboss community and for all the solutions nothing is working for me. I am getting either the login popup or I am getting "This User has no permissions setup". The Guvnor Manual is referring to jboss eap 5 and I am trying to do this on Jboss AS 7.1. Note : I am unable to find login-config.xml file mentioned in the following link.http://docs.jboss.org/drools/release/5.5.0.Final/drools-guvnor-docs/... . Is guvnor deployment targeted only for JBOSS EAP 5.0 ? Environment: 1. Guvnor 5.5.0.Final 2. JBOSS AS 7.1.0 Files Configured (Only these files I configured): 1. Standalone.xml 2. Guvnor.war/WEB-INF/beans.xml 3. Created users using "add-user.sh" 4. standalone/configuration/application-users.properties (attached). 5. standalone/configuration/application-roles.properties (attached) 6. standalone/configuration/management-users.properties Configurations Standalone.xml : Only configured below tags. There's nothing else I changed for the purpose of JAAS Authentication and Guvnor Authorization. Added <security-domain name="drools-guvnor" cache-type="default"> to check if "other" is not working. <security-domain name="other" cache-type="default"> <authentication> <login-module code="Remoting" flag="optional"> <module-option name="password-stacking" value="useFirstPass"/> </login-module> <login-module code="RealmUsersRoles" flag="required"> <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/> <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/> <module-option name="realm" value="ApplicationRealm"/> <module-option name="password-stacking" value="useFirstPass"/> </login-module> </authentication> </security-domain> <security-domain name="drools-guvnor" cache-type="default"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"> <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/> <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/> <module-option name="realm" value="ApplicationRealm"/> <module-option name="password-stacking" value="useFirstPass"/> </login-module> </authentication> </security-domain> Drools-guvnor.war. 1. beans.xml (Tried 4 different configs as suggested on community) a. Config 1 (Attached "Config1 beans.xml" and Config1 error.txt) . Error "This User has no permission setup". <security:IdentityImpl> <s:modifies/> <!-- JAAS based authentication --> <security:authenticatorName>jaasAuthenticator</security:authenticatorName> </security:IdentityImpl> <security:jaas.JaasAuthenticator> <s:modifies/> <jaasConfigName>other</jaasConfigName> </security:jaas.JaasAuthenticator> <!-- SECURITY AUTHORIZATION CONFIGURATION --> <!-- This is used to enable or disable role-based authorization. By default it is disabled. --> <guvnorSecurity:RoleBasedPermissionResolver> <s:modifies/> <guvnorSecurity:enableRoleBasedAuthorization>true</guvnorSecurity:enableRoleBasedAuthorization> </guvnorSecurity:RoleBasedPermissionResolver> b. Config 2 (Attached "Config2 beans.xml" and Config2 error.txt). Error "This User has no permission setup". <security:IdentityImpl> <s:modifies/> <!-- JAAS based authentication --> <security:authenticatorName>jaasAuthenticator</security:authenticatorName> </security:IdentityImpl> <security:jaas.JaasAuthenticator> <s:modifies/> <security:jaasConfigName>drools-guvnor</security:jaasConfigName> </security:jaas.JaasAuthenticator> <!-- SECURITY AUTHORIZATION CONFIGURATION --> <!-- This is used to enable or disable role-based authorization. By default it is disabled. --> <guvnorSecurity:RoleBasedPermissionResolver> <s:modifies/> <guvnorSecurity:enableRoleBasedAuthorization>true</guvnorSecurity:enableRoleBasedAuthorization> </guvnorSecurity:RoleBasedPermissionResolver> c. Config 3 (Attached "Config3 beans.xml" and Config1 error.txt). Error (Same error as of Config 1) "This User has no permission setup". <security:IdentityImpl> <s:modifies/> <!-- JAAS based authentication --> <security:authenticatorName>jaasAuthenticator</security:authenticatorName> </security:IdentityImpl> <security:jaas.JaasAuthenticator> <s:modifies/> <jaasConfigName>other</jaasConfigName> </security:jaas.JaasAuthenticator> <guvnorSecurity:RoleBasedPermissionResolver> <s:modifies/> <guvnorSecurity:enableRoleBasedAuthorization>true</guvnorSecurity:enableRoleBasedAuthorization> </guvnorSecurity:RoleBasedPermissionResolver> <component name="org.jboss.seam.security.roleBasedPermissionResolver"> <s:modifies/> <property name="enableRoleBasedAuthorization">true</property> </component> I HAVE ALSO ADDED THIS COMPONENT TAG found every where on forums to resolve this issue. I tried Tried without this also but at that time I get LOGIN screen which always says Incorrect User/Password.Is this required or <guvnorSecurity:RoleBasedPermissionResolver> is the only authorization config. <component name="org.jboss.seam.security.roleBasedPermissionResolver">; <s:modifies/> <property name="enableRoleBasedAuthorization">true</property> </component> Kindly help me in this configuration. I can't find a single authentic document for my environment. Regards, Zahid <standalone.xml><Guvnor User Permission tab.png><application-roles.properties><application-users.properties><mgmt-users.properties><Config1 beans.xml><Config1 error.txt><Config2 beans.xml><Config2 error.txt><Config3 beans.xml><Config3 error.txt>_______________________________________________ rules-users mailing list rules-users@lists.jboss.org<mailto:rules-users@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/rules-users _______________________________________________ rules-users mailing list rules-users@lists.jboss.org<mailto:rules-users@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/rules-users _______________________________________________ rules-users mailing list rules-users@lists.jboss.org<mailto:rules-users@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/rules-users _______________________________________________ rules-users mailing list rules-users@lists.jboss.org<mailto:rules-users@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/rules-users